Overview

overview

10

Static

static

3

1c43881484...9e.exe

windows7-x64

10

1c43881484...9e.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b4409e0577f703425e8e4b4412a8c6e0151a8f35d6733339be2055bec257f5bf

  • Size

    150KB

  • Sample

    240417-rss9jsdd6t

  • MD5

    47799487fdf21cd0626e075b7f951b79

  • SHA1

    4c58e321a8bfc65e4a3ffb6f7d35d8ad812dd8c2

  • SHA256

    b4409e0577f703425e8e4b4412a8c6e0151a8f35d6733339be2055bec257f5bf

  • SHA512

    e3089c32963e9b03a56f11c49e716f85a3638e69ee4dcae017ac01767297a4a87e7ff76590e9bb34222467abb55c91dbd6639ecfcb2eda274267b440c63a054d

  • SSDEEP

    3072:S/OavL8wCrTIcWuC7jTH7pwMgnICzxyiGQDhd9SrHWHuiJG7Qx:St4XPzCyMuIWUiGG36sJMUx

Score
10/10
smokeloaderpub1backdoorpersistencetrojanvmprotect

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php
rc4.i32
rc4.i32

Targets

    • Target

      1c438814841e344b1635d6948fd04345ae23657b4bda93750bfd8055245ba09e.exe

    • Size

      232KB

    • MD5

      2c474a834185c1b3d4e58a390d3ad5c0

    • SHA1

      a682acd5e698a74136b58395bf327247fdfd55f7

    • SHA256

      1c438814841e344b1635d6948fd04345ae23657b4bda93750bfd8055245ba09e

    • SHA512

      62a11db47522753a0506cb8a4ce074a49c1cd3fca5ce26a9407450d1e11373c92bd5765c3a85b23979b82cdd2c786a23ff5f912447619b410b9347e4ad1f9724

    • SSDEEP

      3072:IJ+Uxkz08IhV4CxGoCO8fWgzOOKpBxUHGgqYZrbfCXMgS568tZJB:USIhVwefOOQMlE

    Score
    10/10
    smokeloaderpub1backdoorpersistencetrojanvmprotect

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Downloads MZ/PE file

    • Modifies Installed Components in the registry

      persistence

    • Deletes itself

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks